Unexpected Starknet collection that user does not want can be minted when user deposit nft.
Title
Unexpected Starknet collection that user does not want can be minted when user deposit nft.
Line of code
Vulnerability Details
When user deposit nft using the function Starklane::depositTokens(), they may expect certain collection on Starknet is minted.
The collection will be minted on L2. But when the user submit the deposit token transaction, that _l1ToL2Addresses[collectionL1] can change, either because admin overwrite and update collection address, or it is because a collectionL2 is deployed.
Impact
user does not mint the nft they want.
Tools Used
Manual Review
Recommendations
We recommend the following change in the Starklane::depositTokens():
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.